VCU Health Provides Notice of Data Privacy Incident
VCU Health Provides Notice of Data Privacy Incident
Virginia Commonwealth University Health System (“VCU Health”) has notified certain individuals about a recent incident involving the privacy of their Protected Health Information. VCU Health recently learned that transplant donor information was contained in the medical records of certain transplant recipients. VCU Health has also learned that transplant recipient information was contained in the medical records of certain transplant donors. This information may have been viewable to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal. Additionally, this information may have been released in response to a release of information request made at the request of, or on behalf of, the recipient and/or donor. This information was not otherwise available to any unauthorized individuals. VCU Health’s internal team immediately began a review of the manner in which donor and recipient information is recorded and promptly resolved the issue. VCU Health’s investigation determined that the information was accessible to recipients, donors and/or their representatives as early as January 4, 2006.
As part of the investigation, VCU Health has been working very closely with external cybersecurity professionals experienced in handling these types of incidents. VCU Health discovered on February 7, 2022 that a limited amount of protected health information may have been viewable as a result of this incident. VCU subsequently determined between March 29 and May 27, 2022 that additional protected health information may have been viewable in other transplant recipients’ or donors’ medical records, which may have included names, Social Security numbers, lab results, medical record number, date(s) of service, and/or dates of birth. VCU Health has found no evidence to suggest that any information has been misused. The total number of donors and recipients involved in this incident is 4,441.
VCU Health has mailed notification letters to each potentially affected individual for whom it has enough information to determine a physical address. Notified individuals have been provided with best practices to protect their information, including placing a fraud alert and security freeze on their credit files, and obtaining a free credit report. Notified individuals are reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Individuals should also review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. Notified individuals whose Social Security numbers may have been involved have been offered complimentary credit monitoring. Additional safeguards are outlined below under “Other Important Information” section.
VCU Health is committed to maintaining the privacy of information pertaining to our patients and has taken many precautions to safeguard it. VCU Health continually evaluates and modifies its practices to enhance the security and privacy of patients’ information, including the education and counseling of our workforce regarding patient privacy matters.
For further questions or additional information regarding this incident, or to determine if you may be impacted, VCU Health has set up a dedicated toll-free response line for individuals to ask questions. The response line can be contacted at 855-610-3514 and is available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major U.S. holidays.
OTHER IMPORTANT INFORMATION
Placing a Fraud Alert on Your Credit File.
You may place an initial 1-year “fraud alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.
Equifax
P.O. Box 105788
Atlanta, GA 30348
https://www.equifax.com/ personal/credit-report-services/credit-fraud-alerts/
(800) 525-6285
Experian
P.O. Box 9554
Allen, TX 75013
https://www.experian.com/ fraud/center.html
(888) 397-3742
TransUnion LLC
P.O. Box 6790
Fullerton, PA 92834-6790
https://www.transunion. com/fraud-alerts
(800) 680-7289
Placing a Security Freeze on Your Credit File.
If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing or by mail, to all three nationwide credit reporting companies. To find out more about how to place a security freeze, you can use the following contact information:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
https://www.equifax.com/personal/ credit-report-services/credit-freeze/
(800) 349-9960
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
http://experian.com/freeze
(888) 397-3742
TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
https://www.transunion.com/ credit-freeze
(888) 909-8872
In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit monitoring company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the City in which you currently reside.
Obtaining a Free Credit Report.
Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Additional Helpful Resources.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Protecting Your Medical Information.
The following practices can help to protect you from medical identity theft.
Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.
Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity Theft: Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.gov, Telephone: 515-281-5164.
Maryland Residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us/Consumer, Telephone: 888-743-0023.
Massachusetts Residents: Under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.
In Addition, New Mexico Consumers Have the Right to Obtain a Security Freeze or Submit a Declaration of Removal
As noted above, you may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:
The unique personal identification number, password, or similar device provided by the consumer reporting agency;
Proper identification to verify your identity; and
Information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. As of September 1, 2008, a consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.
A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control, or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying. As of September 1, 2008, if you contact a consumer reporting agency by a secure electronic method or by telephone, the consumer reporting agency should lift the freeze within fifteen minutes. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act.
To place a security freeze on your credit report, you must send a request to each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. You may contact these agencies using the contact information provided above.
New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; https://ag.ny.gov/consumer-frauds-bureau/identity-theft; Telephone: 800-771-7755.
North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov/, Telephone: 877-566-7226.
Oregon Residents: You may obtain information about preventing identity theft from the Oregon Attorney General’s Office: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us/, Telephone: 877-877-9392
Washington D.C. Residents: You may obtain information about preventing identity theft from the Office of the Attorney General for the District of Columbia, 400 6th Street NW, Washington D.C. 20001, https://oag.dc.gov/consumer-protection, Telephone:
Virginia Commonwealth University Health System (“VCU Health”) has notified certain individuals about a recent incident involving the privacy of their Protected Health Information. VCU Health recently learned that transplant donor information was contained in the medical records of certain transplant recipients. VCU Health has also learned that transplant recipient information was contained in the medical records of certain transplant donors. This information may have been viewable to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal. Additionally, this information may have been released in response to a release of information request made at the request of, or on behalf of, the recipient and/or donor. This information was not otherwise available to any unauthorized individuals. VCU Health’s internal team immediately began a review of the manner in which donor and recipient information is recorded and promptly resolved the issue. VCU Health’s investigation determined that the information was accessible to recipients, donors and/or their representatives as early as January 4, 2006.
As part of the investigation, VCU Health has been working very closely with external cybersecurity professionals experienced in handling these types of incidents. VCU Health discovered on February 7, 2022 that a limited amount of protected health information may have been viewable as a result of this incident. VCU subsequently determined between March 29 and May 27, 2022 that additional protected health information may have been viewable in other transplant recipients’ or donors’ medical records, which may have included names, Social Security numbers, lab results, medical record number, date(s) of service, and/or dates of birth. VCU Health has found no evidence to suggest that any information has been misused. The total number of donors and recipients involved in this incident is 4,441.
VCU Health has mailed notification letters to each potentially affected individual for whom it has enough information to determine a physical address. Notified individuals have been provided with best practices to protect their information, including placing a fraud alert and security freeze on their credit files, and obtaining a free credit report. Notified individuals are reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Individuals should also review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. Notified individuals whose Social Security numbers may have been involved have been offered complimentary credit monitoring. Additional safeguards are outlined below under “Other Important Information” section.
VCU Health is committed to maintaining the privacy of information pertaining to our patients and has taken many precautions to safeguard it. VCU Health continually evaluates and modifies its practices to enhance the security and privacy of patients’ information, including the education and counseling of our workforce regarding patient privacy matters.
For further questions or additional information regarding this incident, or to determine if you may be impacted, VCU Health has set up a dedicated toll-free response line for individuals to ask questions. The response line can be contacted at 855-610-3514 and is available Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major U.S. holidays.
OTHER IMPORTANT INFORMATION
Placing a Fraud Alert on Your Credit File.
You may place an initial 1-year “fraud alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.
Equifax
P.O. Box 105788
Atlanta, GA 30348
https://www.equifax.com/ personal/credit-report-services/credit-fraud-alerts/
(800) 525-6285
Experian
P.O. Box 9554
Allen, TX 75013
https://www.experian.com/ fraud/center.html
(888) 397-3742
TransUnion LLC
P.O. Box 6790
Fullerton, PA 92834-6790
https://www.transunion. com/fraud-alerts
(800) 680-7289
Placing a Security Freeze on Your Credit File.
If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by sending a request in writing or by mail, to all three nationwide credit reporting companies. To find out more about how to place a security freeze, you can use the following contact information:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
https://www.equifax.com/personal/ credit-report-services/credit-freeze/
(800) 349-9960
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
http://experian.com/freeze
(888) 397-3742
TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
https://www.transunion.com/ credit-freeze
(888) 909-8872
In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit monitoring company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the City in which you currently reside.
Obtaining a Free Credit Report.
Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Additional Helpful Resources.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Protecting Your Medical Information.
The following practices can help to protect you from medical identity theft.
Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.
Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity Theft: Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.gov, Telephone: 515-281-5164.
Maryland Residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us/Consumer, Telephone: 888-743-0023.
Massachusetts Residents: Under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.
In Addition, New Mexico Consumers Have the Right to Obtain a Security Freeze or Submit a Declaration of Removal
As noted above, you may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:
The unique personal identification number, password, or similar device provided by the consumer reporting agency;
Proper identification to verify your identity; and
Information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. As of September 1, 2008, a consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.
A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control, or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying. As of September 1, 2008, if you contact a consumer reporting agency by a secure electronic method or by telephone, the consumer reporting agency should lift the freeze within fifteen minutes. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act.
To place a security freeze on your credit report, you must send a request to each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. You may contact these agencies using the contact information provided above.
New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; https://ag.ny.gov/consumer-frauds-bureau/identity-theft; Telephone: 800-771-7755.
North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov/, Telephone: 877-566-7226.
Oregon Residents: You may obtain information about preventing identity theft from the Oregon Attorney General’s Office: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us/, Telephone: 877-877-9392
Washington D.C. Residents: You may obtain information about preventing identity theft from the Office of the Attorney General for the District of Columbia, 400 6th Street NW, Washington D.C. 20001, https://oag.dc.gov/consumer-protection, Telephone:
